GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

EMV, four months on

Patti Murphy

Thicken that skin


Industry Update

FTC takes on big data

U.S. adds six Russian banks to OFAC banned list

MasterPass joins Wal-Mart payment mix

New DOT standards reach airport kiosks


The automated ISO

Phablet popularity soars this holiday season

Felix Richter
Statista Inc.

Smarthphone-driven commerce


Choice not chance

Dale S. Laszig
DSL Direct LLC

Will we be Uberized?

Ken Musante
Eureka Payments LLC


Street SmartsSM:
Facts and figures of the MLS

Jeffrey I. Shavitz
TrafficJamming LLC

The M&A market 2016: 10 things to know to best position your business

Adam Hark

Real capabilities of tokenization in mobile payments

David Poole

Termination: The end or a new beginning?

Adam Atlas
Attorney at Law

The high-risk merchant services opportunity

Matt O'Shea
National Bank Services

The time is right for second generation P2PE

Ruston Miles
Bluefin Payment Systems LLC

Company Profile


New Products

Holistic approach to cybersecurity

Next Generation Security Assessment Services
Redhawk Network Security LLC

Future-proof, obsolescence-free POS

CardWare International Inc.


Letter From the Editors

Readers Speak: Much ado about faster payments

Boost Your Biz:Earn respect with your website

ISOMetrics:Online retailer status update

GS Book Notes:Powerful presence, powerful stories

Resource Guide


Skyscraper Ad

The Green Sheet Online Edition

January 25, 2016  •  Issue 16:01:02

previous next

Real capabilities of tokenization in mobile payments

By David Poole

During the first three quarters of 2014, global payment and transaction companies raised a combined $1.18 billion through 75 funding deals ( More and more banks have launched plans to build mobile payments directly into their mobile banking apps. And a broad range of payment options and channels – from Apple Pay to Google Wallet, from Samsung Pay to Visa Checkout – are in the market, vying for majority adoption.

But with the increasing amount of technology developed to create a fast, convenient payment experience and the rising number of high-profile data breaches within the last year, merchants, issuers, payment schemes and consumers are more than ever prioritizing payment and data security.

In the scramble to find new ways of protecting personal details and avoiding embarrassing data breaches, tokenization is being promoted as the defense against mobile payment fraud. Of course, the use of tokens – the process of substituting a sensitive data element with a nonsensitive equivalent – is well respected. Applied to the payment card industry, tokenization has been used as an encryption method for cardholder information post-authorization for many years.

In their most basic form, payment tokens are surrogate values that replace primary account numbers (PANs) and can be used for mobile POS transactions, in-app purchases or online purchases to limit the impact of data breaches or sporadic card theft.

The Payment Security Taskforce ( defines three different types of payment tokens:

  1. EMV (Europay, MasterCard and Visa) tokens: Compliant with the EMV Payment Tokenization Specification, developed as a multischeme initiative by Visa, MasterCard and American Express.
  2. Acquiring tokens: Created by the acquirer, merchant or a Payment Service Provider (PSP) after cardholders present their payment credentials.

  3. Issuer tokens: Also known as virtual card numbers or alternate PANs, created by issuers to reduce risk in specific use cases.

Token credentials can be limited to use on a specific device, at a specific merchant or for specific types of goods and services. The uses, advantages and disadvantage are diverse. Yet for all the promise of tokenization, it is not above significant criticism.

The first concern is the extent to which tokenization adheres to the Payment Card Industry Data Security Standard. In its most recent guide to the use of tokens, the PCI Security Standards Council discusses the role of tokenization in "reducing the risk of unauthorized disclosure of a PAN" (

The use of the word "reducing" is critical here, because this is what tokenization does. It reduces risk; it doesn't eliminate it. Of course, the nature of risk is such that it is never entirely eliminated, and it would be unfair to expect otherwise. Yet it is a stark warning that tokenization is not elemental, nor should it be treated as beyond improvement.

Cybercriminals are dynamic in their approach, improving their methods daily, proving that what was once thought to be safe is now breachable. In future years, device proliferation will continue and will expand beyond smartphones into wearables and the Internet of things.

Tokenization has a critical role to play, but only as part of a multilayered security solution that also incorporates other protective methods such as end-to-end encryption, biometrics and strong user authentication, the latter of which can be implemented as a "step-up" security method by merchants, under predefined circumstance to maintain good customer experiences.

We may hear that security, although essential, slows down the innovation process. Innovation cannot be stopped by security, but security itself needs to find new, multilayered ways to help the payments ecosystem with compliance, risk and fraud reduction.

The payments industry needs further education around tokenization and understanding that although popular now, tokenization cannot be the only protection in place to ensure that sensitive information, like payment card data, personally identifiable data, or financial account data, remains safe.

David Poole, Business Development Director at myPINpad (, has spent more than 20 years at the forefront of new technology and payment processes. In previous roles he spearheaded the integration of electronic payments with custom POS solutions in hospitality and retail both in the U.K. and the United States. Before joining myPINpad in 2013, David was an executive at Miura, a technology company founded to reshape electronic payments. He oversaw the commercial success of the company during the three years he held this position. He can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | Humboldt Merchant Services | Impact Paysystems